Cybersecurity & Infrastructure Security Agency (CISA) Pledge – Source: securityboulevard.com

When the Cybersecurity and Infrastructure Security Agency (CISA) introduced the Secure by Design pledge in May of last year, it immediately resonated with our engineering philosophy;  

it was a natural fit, not a shift. Thanks to our highly skilled DevSecOps team, embracing the pledge wasn’t a decision we had to make—it’s simply how we operate. Led by Rhys Campbell, whose deep commitment to security drives our approach, the team consistently pushes us to meet the highest standards and do what’s right, not just what’s easy.

How Secure by Design aligns with Strata’s identity-first approach

At Strata, Secure by Design isn’t just a principle — it’s embedded in our DNA. As an identity software company, we have a responsibility to meet the highest standards of privacy and security in everything we build and deliver. As more organizations adopt Zero Trust Architecture, the role of identity in overall security is becoming undeniable. We take that responsibility seriously, applying rigorous processes throughout our development lifecycle and working closely with our customers to ensure they’re leveraging our capabilities to secure access to their resources in the most effective way possible. 

Helping customers put the pledge into practice 

A great example of our security-first approach is how the Maverics Identity Orchestration Platform delivers a truly passwordless experience for administrator access—both for Strata and our customers. Administrator authentication never relies on passwords, eliminating a common attack vector and reinforcing our commitment to modern, resilient security practices.

Looking ahead, we’re excited to partner with our customers to help them align with the principles of the Secure by Design pledge. That’s our mission: enabling organizations to adopt secure identity practices by design, not as an afterthought.

CISA’s pledge outlines seven key areas where organizations can focus on strengthening their security posture meaningfully. These include:

1. Multi-Factor Authentication (MFA)
   Goal: Within one year of signing the pledge, demonstrate actions to measurably increase the use of multi-factor authentication across the manufacturer’s products. 
2. Default Passwords
   Goal: Within one year of signing the pledge, demonstrate measurable progress towards reducing default passwords across the manufacturers’ products. 
3. Reduce Entire Classes of Vulnerabilities
   Goal: Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.. 
4. Security Patches
   Goal: Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers. 
5. Vulnerability Disclosure Policy
   Goal: Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP).  
6. CVEs
   Goal: Within one year of signing the pledge, demonstrate transparency in vulnerability reporting. 
7. Evidence of Instrusions
   Goal: Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.

Here is where we are for each of the above areas of focus:

Multi-Factor Authentication (MFA)

GOAL: “Within one year of signing the pledge, demonstrate actions to measurably increase the use of multi-factor authentication across the manufacturer’s products.”

CURRENT STATE:

Strata does not allow our customer’s administrators of our services to log into our Maverics platform using a password due to the inherent insecurity of passwords. Strata provides its own MFA capabilities to log into the platform, and partners with MFA vendors to offer alternatives.  

Strata also provides a federated single sign-on (SSO) capability to streamline secure access to the Maverics platform. We collaborate closely with our customers to ensure that any federated login we accept is backed by strong authentication — reinforcing trust at every access point.

Additionally, Strata allows its customers to add MFA to existing enterprise applications and reduce the use of passwords. Strata’s Services and Support teams work with customers to ensure the secure adoption and deployment of these.

PLEDGE:

• Enhance our documentation and customer conversations to strongly encourage users to leverage our passwordless technology and MFA (i.e. passkeys) when logging into the Maverics console via a third-party IDP.
• Maintain monthly manual audits of every application involved in designing, building, and operating the Maverics platform. These audits verify that all user accounts across our development environments enforce passwordless authentication, ensuring consistency with our security standards.
• Continue implementing the emerging profiles of Federation standards that enable the best security.  An example is implementing DPoP, or Demonstrating Proof of Possession DPoP, an OAuth extension that describes a technique to cryptographically bind access tokens to a particular client when they are issued. This is one of many attempts at improving the security of Bearer Tokens by requiring the application to use the token to prove possession of the same private key that was used to obtain the token.
  

2. Default Passwords

GOAL: 

“Within one year of signing the pledge, demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.”

CURRENT STATE:

Passwords are never directly accepted to authenticate administrators to the Maverics platform; only passwordless authentication can be used to log in to Maverics. Strata offers its own MFA for some scenarios and also integrates 3rd party MFA providers. SAML authentication to the Maverics administration console is also available upon request. 

PLEDGE:

Continue to ensure that passwords are not used in our products

3. Reducing Entire Classes Of Vulnerability

GOAL: 

“Within one year of signing the pledge, demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.”

CURRENT STATE:

Since our inception, Strata has been diligent about the security of the pipelines we use to deliver software and services to our customers.  Some of the things we do in support of this priority are:

• Implementing a CI/CD pipeline and DevSecOps function
• Leveraging Infrastructure as Code approaches to ensure we work in secure, consistent environments
• Security scans (including SAST and DAST type scans) integrated into our CI/CD pipeline, scanning our code and all dependencies
• Leverage secure secret storage approaches across the entire environment
• Enforce access control policies on the systems involved in building and delivering our products and services
• Regular pen testing of environments
• Threat modeling exercises
• Monthly manual audits of access
• Doing manual code reviews 

PLEDGE:

Strata has enhanced its scanning capabilities by incorporating emerging tools and techniques, strengthening our ability to proactively identify and address potential vulnerabilities.

4. Security Patches

GOAL: 

“Within one year of signing the pledge, demonstrate actions taken to measurably increase the installation of security patches by customers.”

CURRENT STATE:

Strata’s globally distributed Maverics cloud-based production platforms run exclusively on Kubernetes (EKS) hosted on underlying AWS nodes. Those nodes are routinely rotated, and updates are applied during that rotation.

The component of our platform that runs in our customers’ infrastructure, called the Orchestrator, is updated/patched according to our customers’ internal deployment pipeline and schedule. Strata works to make this integration with their pipeline as convenient as possible to encourage frequent updates.  

PLEDGE:

Strata will automate the patching of all instances in our development and sandbox environments, specifically targeting virtual machines (EC2 instances).

5. Vulnerability Disclosure Policy

GOAL: 

“Within one year of signing the pledge, publish a vulnerability disclosure policy (VDP) that authorizes testing by members of the public on products offered by the manufacturer, commits to not recommending or pursuing legal action against anyone engaging in good faith efforts to follow the VDP, provides a clear channel to report vulnerabilities, and allows for public disclosure of vulnerabilities in line with coordinated vulnerability disclosure best practices and international standards.”

CURRENT STATE

Strata has run a Vulnerability Disclosure Program since its inception. 

PLEDGE: 

No immediate changes are required.

6. CVE’S

GOAL: 

“Within one year of signing the pledge, demonstrate transparency in vulnerability reporting by including accurate Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields in every Common Vulnerabilities and Exposures (CVE) record for the manufacturer’s products. Additionally, issue CVEs in a timely manner for, at minimum, all critical or high-impact vulnerabilities (whether discovered internally or by a third party) that either require actions by a customer to patch or have evidence of active exploitation.

While not required for this goal, companies are encouraged to go above and beyond by filing CVEs for other vulnerabilities that do not meet these criteria for the reasons described below. Companies are also encouraged to explore additional ways to enrich their CVE records to help customers better respond to vulnerabilities.”

CURRENT STATE:

Strata currently shares information about its security posture on our website, security-trust.strata.io. If and when we find a security vulnerability in our platform, we post about it there.

PLEDGE:

Strata commits to adding to its current VDP program to demonstrate further transparency in vulnerability reporting. We will do this when our Security Engineering Team takes vulnerability event(s) and assigns and issues a Common Vulnerabilities and Exposure (CVE) record for the Maverics platform. 

7. Evidence Of Intrusions (Observability/Logging)

GOAL: 

“Within one year of signing the pledge, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.”

CURRENT STATE:

The Strata Maverics Platform currently logs all administrator and end-user activity, including signals that can be used to find attempted and successful intrusions. Customers can integrate that data feed with other systems, including log aggregation and SIEM tools, which are used to find anomalous user behavior.

PLEDGE:

• Maverics Identity Orchestration platform’s observability will be continuously enhanced to provide the visibility needed to detect intrusions and diagnose other anomalous conditions.  
• To retain SaaS logs for at least 6 months at no additional charge to customers.

Committed to building a safer digital future

Strata is proud to be among the first wave of companies to sign the CISA Secure by Design pledge. We see this not as a checkbox exercise, but as an opportunity to lead by example — advancing identity security and helping our customers do the same.

Security is not a one-time initiative; it’s a continuous commitment. From eliminating passwords to enhancing observability and transparency, we’re taking deliberate steps to align with CISA’s principles and raise the bar for how software is built, deployed, and maintained.

We look forward to sharing our progress and collaborating with others in the industry who are also committed to making security a foundational part of how technology is created.